Hi, AFAIR, this is a known problem with w2k clients. You have to upgrade your kerberos to something > 1.3xxxx preferably to the latest available version. Christoph
Gordon Hopper schrieb:
I am using Samba with Active Directory. I have successfully joined my Samba server to the domain D1 ( net ads join -U [EMAIL PROTECTED] ). I am able to succesfully connect from Windows XP clients ( with no password ), but not from Windows 2000 ( even when specifying a password ). With w2k, I always get "Failed to verify incoming ticket!".
I think it has something to do with the key type of the Kerberos tickets ( etype or enctype in krb5.conf ). Does Windows 2000 speak the same Kerberos 5 as Windows XP? Which key types are used by Windows? How do I know which enctype I need, and why doesn't the default enctype setting negotiate something that works?
It might also have something to do with trust relationships, since my samba machine is in domain D1.DOMAIN.COM, but my users are in domain D2.DOMAIN.COM. (And my client machine is in D3.DOMAIN.COM). Each of these domains is an active directory tree, with trust relationships between them...
But it works with an XP client, so what's different between XP and Windows 2000?
Thanks,
Gordon
Configuration files follow.
------------------------- # smb.conf: [global] workgroup = D1 realm = D1.DOMAIN.COM security = ADS password server = d1dc02.d1.domain.com log file = /etc/samba/samba.log
[t] comment = Test Share path = /tmp read only = No guest ok = Yes browseable = Yes
------------------------- # krb5.conf: [logging] default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
default_realm = D1.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
# According to http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# "the only supported encryption types are des3-hmac-sha1 and des-cbc-crc."
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms] D1.DOMAIN.COM = { kdc = d1dc01.d1.domain.com } D2.DOMAIN.COM = { kdc = d2dc01.d2.domain.com }
------------------------------ # from an XP machine in the d2 Domain C:\>net use * \\samba07\t Drive Y: is now connected to \\samba07\t .
The command completed successfully.
----------------------------- # from an XP machine NOT in the Domain C:\>net use * \\samba07\t The password or user name is invalid for \\samba07\t .
Enter the user name for 'samba07': d2\username Enter the password for samba07: Drive Z: is now connected to \\samba07\t .
The command completed successfully.
------------------------------ # from a Windows 2000 machine in the d2 Domain:
C:\>net use * \\samba07\t The password or user name is invalid for \\samba07\t.
Type the password for \\samba07\t: System error 1326 has occurred.
Logon failure: unknown user name or bad password.
C:\>net use * \\samba07\t /USER:d2\username The password or user name is invalid for \\samba07\t .
Type the password for \\samba07\t : System error 1326 has occurred.
Logon failure: unknown user name or bad password.
# I get this message in the samba.log:
[2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket!
----------------------------
# List of relevant packages (These are the latest updates available for RHEL 3)
$ rpm -qa | egrep 'krb5|samba'
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28
krb5-workstation-1.2.7-28
samba-3.0.7-1.3E
samba-client-3.0.7-1.3E
samba-common-3.0.7-1.3E
----------------------------
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
